Community Contributions
ICS Watch Dog welcomes contributions from the ICS/OT cybersecurity community. Whether you have a detection module for a specific vendor, a Sysmon configuration for a use case, or a system inventory that reveals coverage gaps, your contributions help the community build better monitoring for industrial environments.
What You Can Contribute
| Contribution | What It Is | How to Submit |
|---|---|---|
| Detection module | An XML fragment with RuleGroup elements for a vendor product, protocol, sector, or detection pattern | Module Submission template |
| Sysmon config | A complete Sysmon configuration for a specific use case (e.g., DNS-focused, historian server) | Pull request to sysmon-configs/community/ |
| System inventory | A sanitized JSON inventory showing what runs on a real OT system (captured with Export-SystemInventory.ps1 -Redact) |
Feature Request template |
| Bug report | A config that fails to load, a tool that errors, or documentation that is wrong | Bug Report template |
| Feature request | A new capability, vendor support, or tool improvement | Feature Request template |
Submitting a Module
Modules are the most common contribution. Use the Module Submission issue template. It asks for:
- Module XML file following the module format (see Build Your Own Module)
- Validation file (
.validation.md) with your checklist results and evidence - Provenance: where the rule content came from (vendor docs, LOLBAS Project, lab testing)
- Confidence level: how much you trust the rules (see below)
- Sanitized inventory (optional): a
-RedactJSON export showing the gap your module fills
Not sure how to build a module? Start with the Build Your Own Module guide.
Acceptance Levels
Contributions are accepted at one of three tiers based on the evidence provided. Higher-confidence submissions are more likely to reach the main library.
| Tier | Confidence | Evidence Required | Where It Ships |
|---|---|---|---|
| Tier A | verified-in-lab | Lab environment description, vendor product and version, evidence that rules fire, baseline observation period (24+ hours), false positive count | Main module library (sysmon-configs/modules/) |
| Tier B | vendor-documented | Vendor documentation URLs, product version range, process names and paths from vendor docs | Community directory (sysmon-configs/community/) |
| Tier C | security-research or theoretical | Source URLs (LOLBAS, MITRE ATT&CK, blog posts) or reasoning for theoretical patterns | Posted as a GitHub issue for community testing before merge |
Tier C submissions can promote to Tier B or A when additional evidence is provided. See the provenance documentation section for the confidence levels.
What to Include
Module submissions
- Module XML file with the standard header (version, schema, ATT&CK tags, provenance block)
- Companion
.validation.mdfile with checklist results - Evidence: vendor documentation URLs, lab test output, or LOLBAS/ATT&CK references
Config submissions
- Complete Sysmon XML config with header (version, author, license, description)
- Schema version and minimum Sysmon version
- Comments explaining non-obvious rules
- Testing notes (what OS and Sysmon version it was tested on)
Config naming convention
sysmonconfig-[description].xml
Use lowercase with hyphens. No spaces or underscores.
Sanitization Requirements
All contributions are public. Before submitting any file:
- Remove all hostnames, IP addresses, and DNS names
- Remove all usernames, passwords, API keys, and license keys
- Remove all internal URLs, network names, and AD domain names
- Review file paths for usernames (
C:\Users\jdoe\) - Review service names and scheduled task names for site-specific identifiers
If submitting a system inventory JSON, use Export-SystemInventory.ps1 -Redact and then review the output manually. The -Redact flag is a mechanical safety net, not a guarantee.
Review Process
Maintainers review each submission against this checklist:
| Check | Requirement |
|---|---|
| XML well-formed | xmllint --noout passes |
| Schema version | Declares 4.90 (or 4.23 for Win7 legacy) |
| Provenance block | Header contains Source, Confidence, Last Validated, Known Limitations |
| ATT&CK tagging | Include rules follow the tagging convention |
| Rule name length | No name attribute exceeds 250 characters |
| Merge test | Module merges into at least one curated config without error |
| Sanitization | No hostnames, IPs, usernames, credentials, or internal paths |
| No malicious content | Rules do not disable security tools, exfiltrate data, or mask activity |
Submissions that fail review receive feedback via the GitHub issue. Contributors can address issues and resubmit.
Current Community Configs
| Config | Author | Description |
|---|---|---|
| sysmonconfig-filecreate-only.xml | Aaron Boyd (icsblitz) | Monitors file creation events for dangerous attachment types, scripts, executables, and archives |
Disclaimer: Community-contributed configurations and modules are not maintained or tested by Cutaway Security, LLC. Users must perform their own due diligence, review, and testing before deploying community contributions in any environment. All configurations are provided as-is and should be validated in a test environment before production use.